Описание
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
A flaw was found in Golang's protobuf module, where the unmarshal function can enter an infinite loop when processing certain invalid inputs. This issue occurs during unmarshaling into a message that includes a google.protobuf.Any or when the UnmarshalOptions.DiscardUnknown option is enabled. This flaw allows an attacker to craft malicious input tailored to trigger the identified flaw in the unmarshal function. By providing carefully constructed invalid inputs, they could potentially cause the function to enter an infinite loop, resulting in a denial of service condition or other unintended behaviors in the affected system.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-waiters-rhel8 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/cert-manager-operator-rhel9 | Not affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Not affected | ||
| Logical Volume Manager Storage | lvms4/lvms-rhel9-operator | Under investigation | ||
| Logical Volume Manager Storage | lvms4/topolvm-rhel9 | Under investigation | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-validation-rhel9 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/addon-manager-rhel8 | Will not fix | ||
| Multicluster Engine for Kubernetes | multicluster-engine/agent-service-rhel8 | Under investigation | ||
| Multicluster Engine for Kubernetes | multicluster-engine/cluster-api-provider-azure-rhel8 | Under investigation | ||
| Multicluster Engine for Kubernetes | multicluster-engine-cluster-proxy-addon-container | Under investigation |
Показывать по
Дополнительная информация
Статус:
EPSS
5.9 Medium
CVSS3
Связанные уязвимости
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
The protojson.Unmarshal function can enter an infinite loop when unmar ...
EPSS
5.9 Medium
CVSS3